A new version of the Neeris worm is exploiting the same Microsoft flaw as Conficker. The Neeris worm dates back to 2005, according to Microsoft.
An updated version of an old worm is targeting the same Microsoft
vulnerability exploited by variants of Conficker.
This time around, MS08-067
patched flaw in the Windows Server service-is being targeted by a new variant
of the Neeris worm. Neeris first appeared in 2005, but is now back on the scene
to the Conficker worm.
"It is interesting to note that this new variant of Neeris spiked on late
and during April 1st
," officials at the Microsoft
Malware Protection Center stated
in a blog post. "However it was not
downloaded by any Conficker variant and there's no evidence that it's related
to Conficker.D's April 1 domain algorithm activation."
Conficker.D is also referred to by other vendors as Conficker.C, Downadup.C
and other names. The worm is estimated by many security researchers to
have infected millions of PCs.
The new Neeris variant is detected by Microsoft as Win32/Neeris.gen!C
Earlier versions of the worm exploited MS06-040
which addressed a vulnerability in the same Server service as MS08-067.
If the exploit is successful, the victim's machine downloads a copy of
Neeris from the attacking machine using HTTP. In addition to the Server service
exploit, it also spreads through AutoRun and adds the same "Open folder to
view files" AutoPlay option that Conficker does.
"Neeris began as an IRC bot which spreads itself by sending links through MSN
Messenger," according to the blog post. "It still operates as an IRC bot, but
over time, new spreading methods have been added. The latest variants can
spread via removable drives, SQL servers with weak passwords, exploiting
MS06-040, and finally exploiting MS08-067 in the latest variant."
The new iteration of the malware tries to connect to a command and control
server over Port 449. According to Microsoft, the server password it uses to
log in was used by other bots last February. The malware adds itself to start
every time Windows starts, and adds itself to the Safe Boot configuration as
Due to its similarity to Conficker, many of the same
pieces of advice apply
. Users should install MS08-067 if they have not
already done so, and consider disabling AutoRun.
"The earliest samples of Neeris date back to May of 2005, so it seems the
Conficker authors may be the copycats here," the blog post reads. "But the
Neeris authors added the MS08-067 vector later. Therefore it is possible that
these miscreants somehow collaborate or at least are aware of each other's 'products.'"